Monday, February 8, 2016

Overwriting/Removing Cover Photos on Facebook Event Pages

This blog post is about an Insecure Direct Object Reference vulnerability in Facebook Events which an attacker could have remove/overwrite your Event Cover Photo just by replacing his Event id with yours in Event editing request.

Vulnerability Description

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.

Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks. Reference: OWASP

Appaustic is an app development company helping start ups, enterprises in effective interaction with their clients. We are developing smart apps for iOS and Android. We have experts for facebook app development too.